#VU105461 Resource exhaustion in oauth2 - CVE-2025-22868


Vulnerability identifier: #VU105461

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2025-22868

CWE-ID: CWE-400

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
oauth2
Universal components / Libraries / Programming Languages & Components

Vendor: Google

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to the jws package does not properly control consumption of internal resources when handling malformed tokens. A remote attacker can pass a malformed JWT token to the application, trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

oauth2: 0.1.0 - 0.26.0

External links
https://go.dev/cl/652155
https://go.dev/issue/71490
https://pkg.go.dev/vuln/GO-2025-3488

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Red Hat Advanced Cluster Management for Kubernetes 2.12
Multiple vulnerabilities in Multicluster Engine for Kubernetes 2.7
SUSE update for cosign
SUSE update for rekor
Multiple vulnerabilities in Red Hat OpenShift Container Platform 4.15
Multiple vulnerabilities in Red Hat OpenShift Dev Spaces 3.20
Multiple vulnerabilities in Multicluster GlobalHub 1.3
Multiple vulnerabilities in Multicluster Engine for Kubernetes 2.8
SUSE update for docker, docker-stable
SUSE update for docker, docker-stable